Sunday, September 20, 2015

Interesting. This suggest to me that both sides have shown that they could do this if they wanted to.
U.S. and China Seek Arms Deal for Cyberspace
WASHINGTON — The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime, according to officials involved in the talks.
While such an agreement could address attacks on power stations, banking systems, cellphone networks and hospitals, it would not, at least in its first version, protect against most of the attacks that China has been accused of conducting in the United States, including the widespread poaching of intellectual property and the theft of millions of government employees’ personal data.

What other “locked” services might be attacked from the inside?
AT&T sues former workers, alleging secret scheme to unlock hundreds of thousands of phones
AT&T has filed suit against former employees alleged to have been paid tens of thousands of dollars to install malware on company computers to help “hundreds of thousands” of AT&T customers unlock their smartphones without permission.
California-based Swift Unlocks, which allegedly orchestrated the scheme and in turn sold the illicit unlocking services to AT&T customers, is also being sued.
… Once you’ve paid off your wireless contract, the FCC now requires carriers to give customers an unlock code that will allow them to take their device to another wireless provider — if they so choose.
AT&T’s suit says Swift Unlocks, based in Anaheim, Calif., was using employees inside AT&T’s customer service center in Bothell, Wash., to secretly obtain unlock codes for devices that were still under contract, which means the carrier had no obligation to release them to competing carriers.

For my Computer Security students. In order to protect an asset you need to know you have an asset. Let's hope they don't miss the forest for the trees.
Pentagon designing cyber 'scorecard' to stay ahead of hackers
The U.S. Defense Department is building a massive, electronic system to provide an overview of the vulnerabilities of the military's computer networks, weapons systems, and installations, and help officials prioritize how to fix them, the deputy commander of U.S. Cyber Command said on Thursday.
… The effort, being led by the Pentagon's chief information officer, grew out of a critical report about cyber threats released earlier this year by the Pentagon's chief weapons tester, and escalating cyber attacks by China and Russia.
The report by Michael Gilmore, the Pentagon's director of testing and evaluation, warned that nearly every major U.S. weapons system was vulnerable to cyber attacks.
… He said the initial focus of the new scorecard would be on the greatest threats, including weapons systems fielded 30 years ago before the cyber threat was fully understand, as well as newer systems that were not secure enough.

Perhaps they think you would object.
Jennifer Lynch has a two-part discussion of the topic on EFF, here and here.
In the last few years, FBI has been dramatically expanding its biometrics programs, whether by adding face recognition to its vast Next Generation Identification (NGI) database or pushing out mobile biometrics capabilities for “time-critical situations” through its Repository for Individuals of Special Concern (RISC). But two new developments—both introduced with next to no media attention—will impact far more every-day Americans than anything the FBI has done on biometrics in the past. Read about the first development below and the second here.

I'll bet they lose very few customers. AVG has a good anti-virus program.
AVG says it can sell your browsing data in updated privacy policy
AVG has updated its privacy policy's language, and in the amended document, the security firm admits that it can "make money from [its] free offerings with non-personal data." These "non-personal" info include your device's brand, language and apps in use, among other things. The company is adamant that it doesn't sell anything with identifying information, and the data that it does collect is anonymized and stored without anything that can link it back to you. According to the updated policy, AVG can collect data you yourself provide -- plus, it can use cookies to track your searchers and your activities on websites, apps and other products. It can then use those details to "build anonymous data profiles" or create statistical information, which it can then sell.
A spokesperson from the company told Wired UK that AVG updated the language to be more transparent and make sure people know that it can make money off its free products using their information. The new rules will take effect on October 15th, 2015 and by continuing to use AVG after that, you already agree to the collection – unless you take the steps to opt out. The spokesperson said that "users who do not want [the security firm] to use non-personal data in this way will be able to turn it off."

It's a privacy violation that is a big deal. How culturally aware is some kid in California with two days of training?
This is a story that was too easy to miss in my newsfeed, but as I read it, I felt tremendous fear for women in Afghanistan. What might be an annoying hack or breach here may put their lives in danger there. Read it and think.
Peter Holley reports:
By the time the distraught young woman arrived at the Sunshine Internet Cafe in western Kabul, she was in a state of panic, with tears streaming down her face.
Someone, she claimed, had hacked into her Facebook page and stolen her personal photos. The thief used those images to create a fake profile, one littered with offensive posts boasting of drug use and illicit behavior.
In Afghanistan, this can get a woman killed.
At least three or four times a week, he estimated, young women show up at his Internet cafe desperate for help. Their complaints are always the same: fake Facebook profiles using their photos, hacked personal information, inboxes deluged with pornography, and violent threats from aggressive suitors and alleged militants. Respectable reputations are demolished with a few keystrokes.
Ahmadi said he has reported fake profiles to Facebook on behalf of women more than 50 times, but it rarely matters. He suspects that the threats are so culturally specific — a profile photo showing a woman’s face or a beer Photoshopped into a photo of a female gathering, for example — that they often go unnoticed by Facebook administrators reviewing flagged accounts. What may look like an innocent account in the United States can be full of menacing innuendo to Afghan eyes.
“Most of the time, Facebook is saying, ‘No, you’re wrong, thanks for reporting, but this is not a fake account,'” he said. “I don’t think they understand the culture of Muslim countries.”
Read more on Washington Post.

I think Kim is much more amusing than Donald Trump. If Lessig is correct, it looks like the DoJ is acting as Hollywood's attack dog.
The Unsinkable Kim Dotcom?
Someone perhaps even more flamboyant than Donald Trump may be getting involved in the U.S. presidential race -- and not on the Republican side.
Notorious Internet entrepreneur Kim Dotcom is not running for office, but as his extradition case heats up in New Zealand, a possible Democratic candidate for the presidency – mild-mannered Harvard law professor Lawrence Lessig -- has come to his defense.
… Dotcom brazenly defied the U.S. authorities by relaunching his company as Mega just a year from the day the FBI took down Megaupload.
And why shouldn't he have done so? Dotcom has done no wrong, according to Lessig, who filed a 37-page affidavit on his behalf in a New Zealand court this week.
The actions spelled out in the DoJ's indictment of Dotcom "were not prohibited by criminal statutes of the United States. Filings of the DoJ attempt to create a false impression of criminal guilt and are not reliable," the affidavit concludes.

Looking from the inside – for my students.
Creating a Successful (and Legal) Internship Program

No comments: